basic network security perimeter devices – firewall – intrusion detection/prevention system –...
TRANSCRIPT
Basic Network Security
• Perimeter devices– Firewall– Intrusion Detection/Prevention System– URL Filter/Web proxy– Spam filter
• If an attacker successfully breaches your wireless infrastructure, how valuable are your perimeter security devices?
10/15/2013 CST8304 - 802.11 Security 1
Basic Network Security
10/15/2013 CST8304 - 802.11 Security 2
Defining Wi-Fi Security
• How does one define Wi-Fi security?– Encryption of the data– Encryption of the transmission medium– Environmental shielding– User education
• Let’s take a closer look at attacks and countermeasures…
10/15/2013 CST8304 - 802.11 Security 3
Attack Techniques• How do attackers break
into Wi-Fi networks?
• Are all attacks meant to gain unauthorized access?– No.
• Are all attacks technical in nature?– No.
10/15/2013 CST8304 - 802.11 Security 4
Social Engineering
• Wiley attackers use knowledge gained through illegitimate means to present themselves as an initiated member of a company– After dumpster diving, an attacker may discover a
hidden SSID written down on a post-it note– The attacker calls the help desk, pretending to be an
employee– The attacker mentions the name of the hidden SSID
but states that they have forgotten the WPA key• Maybe the help desk agent gives them the WPA key…
10/15/2013 CST8304 - 802.11 Security 5
Social Engineering
Recognize this guy?– Kevin Mitnick– Once the most wanted computer
criminal in the United States– Social Engineering since age 12.– Compromised systems without
using hacking tools – only codes/passwords he obtained through social engineering.
10/15/2013 CST8304 - 802.11 Security 6
Social Engineering Targets
• The Help Desk– Often holds the keys to accessing the wi-fi network– Can sometimes fall into routine of assisting users without
asking for verification• Verifying users may also not be a part of the company policy on the
whole.
– Often under-trained, from a security perspective.• Attackers will often portray a user who is very smart, or
very dumb, to get the info they want.– Some attackers will threaten users with manager engagement
• This is where having a good manager comes in…
10/15/2013 CST8304 - 802.11 Security 7
Social Engineering Targets
• On-site Contractors– Not fully invested in the company, not loyal– May receive more access than necessary
• Contractors may also become the attackers– Too much access + excessive curiosity = potential
for compromise– Mr. Mitnick is a good example.
10/15/2013 CST8304 - 802.11 Security 8
Social Engineering Targets
• Employees/end users– Sometimes credentials are shared in order to
provide access to resources on an interim basis• There may be a lack of understanding of accountability
– Wireless keys/passwords may be on post-its in plain sight
– Leaving systems unlocked– Receiving calls from the “help desk” to confirm
their credentials
10/15/2013 CST8304 - 802.11 Security 9
Social Engineering Countermeasures
• Education, education, EDUCATION!– Ensure that your users know better than to leave
passwords or WiFi keys written down• Introduce software such as KeePass to users for storage of
passwords and keys
– Ensure that users are NOT sharing passwords for ANYTHING– Loose lips sink ships.
• Ensure that your help desk knows how to properly authenticate users
• If it’s written in policy, even the CEO can’t call in without proper identification and get access (and they can’t fire you because it’s written in a policy)
10/15/2013 CST8304 - 802.11 Security 10
Social Engineering Countermeasures
• Shred-IT boxes– Most companies have shred-it boxes in their offices
nowadays– Instead of providing information to those who are
willing to dumpster dive, the info is disposed of securely
• Implement proper security policies– Follow the principle of minimal access– Users (especially contractors) should only have
access to resources that are mission critical10/15/2013 CST8304 - 802.11 Security 11
Eavesdropping
• Wi-Fi signal is sent on an extremely tap-able distribution medium – The air!
• A well-placed antenna can view copies of the data being transmitted over the air
• War driving is a good example of eavesdropping
• Defined as the intercepting and reading of messages and information by unintended recipients.
10/15/2013 CST8304 - 802.11 Security 12
Eavesdropping
• Analogy – verbal communication– When someone speaks to you, or to a group with
which you are affiliated, it is a conversation, not eavesdropping
– If someone is speaking to another individual, or to a group with which you have no affiliation, but you decide to listen in… that’s eavesdropping.• And if you decide to chime in on a conversation to
which you are not invited… that’s intrusion!
10/15/2013 CST8304 - 802.11 Security 13
Eavesdropping
• Tools of the trade– Discovery• NetStumbler (or MacStumbler for Mac)• KisMet (or KisMac)• Easy Wi-Fi Radar
– Sniffing/Injection
10/15/2013 CST8304 - 802.11 Security 14
• Wireshark• OmniPeek• CommView
• AirPcap• Javvin CAPSA• MS NetMon
Eavesdropping Countermeasures
• Environmental shielding– If the signal can’t get through the walls, an attacker
will have a hard time picking it up!• Hidden SSID– Causes clients to send directed probes, which can
be intercepted and provide an avenue for hijacking• Disable mixed mode– Permitting clients to connect with 802.11b/g/n
opens up more avenues for intrusion
10/15/2013 CST8304 - 802.11 Security 15
Hijacking
• Commandeering a user’s wireless connection without consent
• Layer 2 hijacking = DoS– If the attacker provides layer 3 functionality, they
can potentially take over the target system
10/15/2013 CST8304 - 802.11 Security 16
Hijacking
• DoS - How it’s done– An attacker will run an AP using the same SSID as a
legit AP to which the target is associated– The attacker helps the target de-auth from the AP
through de-auth frames or excessive interference– The target must now re-associate to an AP– The attacker ensures that their rogue AP has a
stronger signal than the legit AP to coax the target into associating to their equipment
10/15/2013 CST8304 - 802.11 Security 17
Hijacking
• Layer 3 Attack – How it’s done– Start off with the same steps as the DoS– In this scenario, the rogue AP is equipped with
DHCP connectivity– Target gets kicked off of the legit AP, re-associates
to rogue AP– Rogue AP provides an IP address to the target– The attacker now has the target’s IP address and
can commence with a full-scale attack
10/15/2013 CST8304 - 802.11 Security 18
Hijacking
10/15/2013 CST8304 - 802.11 Security 19
Legit AP
Attacker
Weaker signal from legit AP
Rogue AP
Stronger signal from rogue APTarget
Hijacking
10/15/2013 CST8304 - 802.11 Security 20
• If a user were to re-associate to the rogue AP, and then attempt a connection to an FTP site, a tool such as Karma could redirect the traffic, in turn intercepting the user’s credentials.
Hijacking
• Windows + Mobile Device Vulnerability– Preferred network list (PNL)
• List of preferred SSIDs for association
– Devices will try to connect to each AP in the PNL• Disclosure of each network in the PNL• Great opportunity to find out which networks are preferred and
stand up a rogue AP with an SSID from the list
– Windows Specific• If no SSIDs from the PNL are available, generate some random
SSID and attempt to connect to that… this helps keep the adapter from turning off when not connected
• Software exists to respond to any SSID association requests
10/15/2013 CST8304 - 802.11 Security 21
Hijacking Countermeasures
• WIDS/Rogue AP Detection– Split MAC w/ Controller Config– If the controller notices a rogue AP, it can drown it
out• Controller starts broadcasting the same AP as the rogue
AP• Controller increases the power until it is greater than
that of the rogue AP
10/15/2013 CST8304 - 802.11 Security 22
Denial of Service
• Launched against Layer 1 or 2• Layer 1 = RF Jamming– IE: cell phone jammers– High-power RF radiators across 2.4GHz or 5GHz
spectrum– Signal generator strength is greater than that of
your 802.11 device, so users only get the noise from the signal generator, rather than your device
10/15/2013 CST8304 - 802.11 Security 23
Denial of Service
• Accidental DoS can come from other appliances– Microwave or Cordless phone, for example
• Generally detected by users complaining of loss of service
10/15/2013 CST8304 - 802.11 Security 24
Denial of Service
• Layer 2 Attack– Attacker spoofs BSSID and sends deauthentication
frames from said BSSID• De-auth frames are management frames, and therefore
will not be ignored by the STA
– Several different types• PS-Poll Floods• Association Floods• Auth Floods• Empty Data Floods
10/15/2013 CST8304 - 802.11 Security 25
Denial of Service
• PS-Poll Flood– PS = Power Saving– STA tells the AP that it will enter PS mode– AP caches data frames for the STA while it sleeps– An attacker could spoof the STA MAC ID and send
PS-Poll frames– The AP would then send all of the data frames to
the attacker and the target, and the target may not get the data (if it is in PS mode)
10/15/2013 CST8304 - 802.11 Security 26
Denial of Service
• Association Flood– Attacker floods the AP with association packets
from random MAC IDs– This means that it will be less likely that a legit STA
will authenticate• Auth Flood– Same as association flood, only the attacker uses
authentication packets instead of association packets
10/15/2013 CST8304 - 802.11 Security 27
Denial of Service
• Empty Data Floods– Multiple WiFi adapters in an attacker STA– Attacker generates a multitude of packets of the
maximum allowable size– Use up most of the WiFi bandwidth
10/15/2013 CST8304 - 802.11 Security 28